b'                        OFFICE OF\n                 THE INSPECTOR GENERAL\n                       U.S. NUCLEAR\n                 REGULATORY COMMISSION\n\n\n                          Systems Evaluation of the\n                          General License Tracking\n                               System (GLTS)\n\n                     OIG\xe2\x80\x9304-A-24 September 30, 2004\n\n\n\n\n              EVALUATION REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n             http://www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                            September 30, 2004\n\n\n\n\nMEMORANDUM TO:               Luis A. Reyes\n                             Executive Director for Operations\n\n\n\nFROM:                        Stephen D. Dingbaum/RA/\n                             Assistant Inspector General for Audits\n\n\nSUBJECT:                     SYSTEM EVALUATION OF THE GENERAL LICENSE\n                             TRACKING SYSTEM (GLTS) (OIG-04-A-24)\n\nThis evaluation was conducted as part of the Office of the Inspector General\xe2\x80\x99s review of\nNRC\xe2\x80\x99s implementation of the Federal Information Security Management Act (FISMA) for\nFY 2004. Richard S. Carson & Associates, Inc., performed this independent system\nevaluation on behalf of OIG.\n\nBased on its review and evaluation of the General License Tracking System\xe2\x80\x99s\nmanagement, operational, and technical controls, Richard S. Carson & Associates, Inc.,\ndetermined that GLTS has the following weaknesses:\n\n   \xc3\x98 Security documentation for GLTS does not always follow required guidelines.\n   \xc3\x98 Security protection requirements are inconsistent within GLTS\xe2\x80\x99 security\n     documentation.\n   \xc3\x98 NRC is not tracking all action items resulting from testing GLTS\xe2\x80\x99 security controls.\n\nThe weaknesses identified are not significant deficiencies or reportable conditions.\nDuring an exit conference on September 13, 2004, NRC officials provided comments\nconcerning the draft audit report and opted not to submit formal written comments to this\nreport.\n\nIf you have any questions or wish to discuss this report, please call me at 415-5915 or\nBeth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cDistribution List\n\nB. John Garrick, Chairman, Advisory Committee on Nuclear Waste\nMario V. Bonaca, Chairman, Advisory Committee on Reactor Safeguards\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nDennis K. Rathbun, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nPatricia G. Norry, Deputy Executive Director for Management Services, OEDO\nWilliam F. Kane, Deputy Executive Director for Homeland Protection\n  and Preparedness, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research\n  and State Programs, OEDO\nEllis W. Merschoff, Deputy Executive Director for Reactor Programs, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nJacqueline E. Silber, Chief Information Officer\nMichael L. Springer, Director, Office of Administration\nFrank J. Congel, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nPaul E. Bird, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\nOffice of Public Affairs, Region I\nOffice of Public Affairs, Region II\nOffice of Public Affairs, Region IV\n\x0c                       \xe2\x80\x9cOffice of the Inspector General\n                           System Evaluation of the\n                   General License Tracking System (GLTS)\xe2\x80\x9d\n\n\n\n\n                          Contract Number: GS-00F-0001N\n                        Delivery Order Number: DR-36-03-346\n\n                                              September 24, 2004\n\n\n\n\n\xe2\x80\x9cThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official U.S. Nuclear\n              Regulatory Commission position, policy, or decision, unless so designated by other official documentation.\xe2\x80\x9d\n\x0c[Page intentionally left blank]\n\x0c                                                                           System Evaluation of GLTS\n\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      On December 17, 2002, the President signed the E-Government Act of 2002 (Public Law\n      107-347), which includes the Federal Information Security Management Act (FISMA) of\n      2002. FISMA outlines the information security management requirements for agencies,\n      which include an independent evaluation of an agency\xe2\x80\x99s information security program\n      and practices, and an evaluation of the effectiveness of information security control\n      techniques. FISMA also requires an assessment of compliance with requirements and\n      related information security policies, procedures, standards, and guidelines. As part of\n      the Fiscal Year 2004 FISMA independent evaluation of the U.S. Nuclear Regulatory\n      Commission\xe2\x80\x99s (NRC) information technology security program, Richard S. Carson\n      Associates, Inc. (Carson Associates) reviewed security controls for the General License\n      Tracking System (GLTS).\n\n      GLTS facilitates the tracking and accountability of general licensees and generally\n      licensed devices with the implementation of a general license registration program.\n      GLTS stores information about all current 10 CFR 31.5 and 31.7 general licensees, along\n      with device information and vendor information. Of these licensees, a subset, based on a\n      higher level of health and safety risk, will be subject to initial registration. The system\n      includes automation necessary to facilitate mailing, receipt, and input of registrations.\n\nPURPOSE\n\n      The system evaluation objectives were to review and evaluate the management,\n      operational, and technical controls for GLTS.\n\nRESULTS IN BRIEF\n\n      Carson Associates reviewed GLTS security documentation and found that GLTS security\n      documentation is not always consistent with National Institute of Standards and\n      Technology (NIST) guidelines, the security protection requirements are inconsistent\n      within GLTS security documentation, and findings and recommendations resulting from\n      testing are not consistently being tracked. None of these weaknesses are considered to be\n      significant deficiencies or reportable conditions as defined in Office of Management and\n      Budget guidance.\n\n      Security Documentation Is Not Always Consistent With NIST Guidelines\n\n      FISMA directs the Secretary of Commerce, on the basis of standards and guidelines\n      developed by NIST, to prescribe standards and guidelines pertaining to Federal\n      information systems. NIST has developed several guidelines and standards, including\n      those for conducting risk assessments, developing security plans, and contingency plans.\n      NRC Management Directive (MD) 12.5, NRC Automated Information Security Program,\n      which was revised in September 2003, states that NRC shall comply with NIST guidance\n\n\n                                               i\n\x0c                                                                     System Evaluation of GLTS\n\n\n\nto include guidance related to the preparation of security documentation (such as system\nsecurity plans, risk assessments, and contingency plans), and other applicable NIST\nguidance for information technology security processes, procedures, and testing.\n\nThe previous version of MD 12.5 did not require compliance with NIST guidelines,\nhowever, Office of Management and Budget (OMB) Circular A-130, Management of\nFederal Information Resources, Appendix III, Security of Federal Automated\nInformation Resources, states that each agency\xe2\x80\x99s program shall implement policies,\nstandards and procedures which are consistent with government-wide policies, standards,\nand procedures issued by the Office of Management and Budget, the Department of\nCommerce, the General Services Administration and the Office of Personnel\nManagement. OMB periodically reminds agencies that agency security practices should\nbe consistent with NIST guidance. The FY 2004 FISMA guidance issued by OMB\nspecifically states that agencies must follow NIST standards and guidance. Use of NIST\nguidance is flexible, provided agency implementation is consistent with the principles\nand processes outlined within the NIST guidance.\n\nCarson Associates reviewed the GLTS Risk Assessment, Security Plan, and Business\nContinuity Plan and found that while the documentation is up-to-date, it is not always\nconsistent with NIST guidelines.\n\nSecurity Protection Requirements Are Inconsistent Within Security\nDocumentation\n\nFISMA defines the term \xe2\x80\x9cinformation security\xe2\x80\x9d to mean protecting information and\ninformation systems from unauthorized access, use, disclosure, disruption, modification,\nor destruction in order to provide confidentiality, integrity, and availability.\nConfidentiality is preserving authorized restrictions on information access and disclosure,\nincluding means for protecting personal privacy and proprietary information. Integrity is\nguarding against improper information modification or destruction, and includes ensuring\ninformation non-repudiation and authenticity. Availability is ensuring timely and reliable\naccess to and use of information. Confidentiality, integrity and availability are often\nreferred to as security protection requirements or security objectives for a system. The\nsecurity protection requirements defined in the GLTS Security Plan and in the FY 2003\nand FY 2004 GLTS self-assessments are inconsistent.\n\nFindings and Recommendations Resulting From Testing Are Not Consistently\nBeing Tracked\n\nThe FY 2003 FISMA independent evaluation of NRC\xe2\x80\x99s information security program\nfound that not all corrective actions resulting from security reviews and testing were\nbeing tracked and that the agency\xe2\x80\x99s corrective action process needed improvement. The\nOffice of the Inspector General (OIG) recommended that the agency identify all\nweaknesses and recommendations from security documentation and any other security\nreviews, and determine in which tool the recommendations will be tracked. In November\n2003, the Office of the Chief Information Officer (OCIO) issued a memo describing the\nagency\xe2\x80\x99s information technology security action item tracking process, strategy, and\n\n\n                                         ii\n\x0c                                                                       System Evaluation of GLTS\n\n\n\n     tools. Carson Associates found that findings and recommendations resulting from testing\n     of GLTS security controls and from GLTS contingency plan testing are not consistently\n     being tracked.\n\nRECOMMENDATIONS\n\n     This report makes five recommendations to the Executive Director for Operations to\n     strengthen management, operational, and technical controls for GLTS. A consolidated\n     list of recommendations can be found on page 11 of this report.\n\nAGENCY COMMENTS\n\n     On September 13, 2004, the Executive Director for Operations provided comments\n     concerning the draft system evaluation report. We modified the report as we determined\n     appropriate in response to these comments.\n\n\n\n\n                                            iii\n\x0c                                  System Evaluation of GLTS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                   System Evaluation of GLTS\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nBCP      Business Continuity Plan\nCFR      Code of Federal Regulations\nFIPS     Federal Information Processing Standards\nFISMA    Federal Information Security Management Act\nFY       Fiscal Year\nGLTS     General License Tracking System\nITSSTS   Information Technology Systems Security Tracking System\nMD       Management Directive\nNIST     National Institute of Standards and Technology\nNMSS     Office of Nuclear Material Safety and Safeguards\nNRC      U.S. Nuclear Regulatory Commission\nOCIO     Office of the Chief Information Officer\nOIG      Office of the Inspector General\nOMB      Office of Management and Budget\nPOA&M    Plan of Action and Milestones\nSP       Special Publication\n\n\n\n\n                                       v\n\x0c                                  System Evaluation of GLTS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                                               System Evaluation of GLTS\n\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n\n2 Purpose..................................................................................................................... 2\n\n3 Findings .................................................................................................................... 2\n    3.1     Security Documentation Is Not Always Consistent With NIST Guidelines....................2\n    3.2     Security Protection Requirements Are Inconsistent Within Security Documentation.....7\n    3.3     Findings and Recommendations Resulting From Testing Are Not Consistently Being\n            Tracked.............................................................................................................................8\n4 Consolidated List of Recommendations.............................................................. 11\n\n5 OIG Response to Agency Comments................................................................... 12\n\n\nAppendices\n\n    Appendix A: Scope and Methodology ..................................................................................13\n\n\n\n\n                                                                     vii\n\x0c                                  System Evaluation of GLTS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              viii\n\x0c                                                                                            System Evaluation of GLTS\n\n\n\n1        Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002 (Public Law 107-\n347), which includes the Federal Information Security Management Act (FISMA) of 20021.\nFISMA outlines the information security management requirements for agencies, which include\nan independent evaluation of an agency\xe2\x80\x99s information security program and practices, and an\nevaluation of the effectiveness of information security control techniques. FISMA also requires\nan assessment of compliance with requirements and related information security policies,\nprocedures, standards, and guidelines. As part of the Fiscal Year 2004 FISMA independent\nevaluation of the U.S. Nuclear Regulatory Commission\xe2\x80\x99s (NRC) information technology security\nprogram, Richard S. Carson Associates, Inc. (Carson Associates) reviewed security controls for\nthe General License Tracking System (GLTS).\n\nGeneral License Tracking System\n\nGLTS facilitates the tracking and accountability of general licensees and generally licensed\ndevices with the implementation of a general license registration program. GLTS stores\ninformation about all current 10 CFR 31.5 and 31.7 general licensees, along with device\ninformation and vendor information. Of these licensees, a subset, based on a higher level of\nhealth and safety risk, will be subject to initial registration. The system includes automation\nnecessary to facilitate mailing, receipt, and input of registrations.\n\nThe NRC Office of Nuclear Material Safety and Safeguards is the GLTS system owner. The\nsystem is categorized as a Major Application2 and is in the operational3 phase of its life cycle.\n\nSystem Evaluation Process\n\nGLTS was evaluated by reviewing system documentation maintained by OCIO. As\nrecommended by the Office of Management and Budget (OMB), Carson Associates reviewed\nthe following documents for adherence to standards and consistency with guidelines issued by\nthe National Institute of Standards and Technology (NIST).\n\n    \xe2\x80\xa2    GLTS Risk Assessment, July 2002\n    \xe2\x80\xa2    GLTS Security Plan, August 2002\n    \xe2\x80\xa2    GLTS Business Continuity Plan, March 2004\n    \xe2\x80\xa2    GLTS Security Test and Evaluation Report, August 2002\n    \xe2\x80\xa2    GLTS System Certification Report, September 2002\n    \xe2\x80\xa2    Certification and Accreditation Statement, September/October 2002\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\nGovernment Act of 2002 (Public Law 107-347), and replaces the Government Information Security Reform Act,\nwhich expired in November 2002.\n2\n  An application that requires special attention to security due to the risk and magnitude of harm resulting from the\nloss, misuse, or unauthorized access to or modification of the information in the application.\n3\n  A system\xe2\x80\x99s life cycle typically comprises five phases: initiation, development/acquisition, implementation,\noperation/maintenance, and disposal. In the operation/maintenance phase, systems are in place and operating,\nenhancements and/or modifications to the system are developed and tested, and hardware and/or software is added\nor replaced.\n\n\n                                                           1\n\x0c                                                                                      System Evaluation of GLTS\n\n\n\n\n      \xe2\x80\xa2   Privacy Impact Assessment\n      \xe2\x80\xa2   FY 2003 and draft FY 2004 GLTS Self-Assessment\n\nThe documents were reviewed to determine whether they are consistent with NIST guidance and\nwhether they describe the management4, operational5, and technical6 controls in place for GLTS.\n\n2         Purpose\n\nThe system evaluation objectives were to review and evaluate the management, operational, and\ntechnical controls for GLTS.\n\n3         Findings\n\nCarson Associates reviewed GLTS security documentation and found that:\n\n      \xe2\x80\xa2   GLTS security documentation is not always consistent with National Institute of\n          Standards and Technology guidelines.\n      \xe2\x80\xa2   Security protection requirements are inconsistent within GLTS security documentation.\n      \xe2\x80\xa2   Findings and recommendations resulting from testing are not consistently being tracked.\n\nNone of these weaknesses are considered to be significant deficiencies or reportable conditions\nas defined in Office of Management and Budget guidance.\n\n3.1       Security Documentation Is Not Always Consistent With NIST Guidelines\n\nFISMA directs the Secretary of Commerce, on the basis of standards and guidelines developed\nby NIST, to prescribe standards and guidelines pertaining to Federal information systems. NIST\nhas developed several guidelines and standards, including those for conducting risk assessments,\ndeveloping security plans, and contingency plans. NRC Management Directive (MD) 12.5, NRC\nAutomated Information Security Program, which was revised in September 2003, states that\nNRC shall comply with NIST guidance to include guidance related to the preparation of security\ndocumentation (such as system security plans, risk assessments, and contingency plans), and\nother applicable NIST guidance for information technology security processes, procedures, and\ntesting.\n\nThe previous version of MD 12.5 did not require compliance with NIST guidelines, however,\nOMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of\nFederal Automated Information Resources, states that each agency\xe2\x80\x99s program shall implement\n\n4\n  The security controls (i.e., safeguards or countermeasures) for an information system that focus on the\nmanagement of risk and the management of information system security.\n5\n  The security controls (i.e., safeguards or countermeasures) for an information system that primarily are\nimplemented and executed by people (as opposed to systems).\n6\n  The security controls (i.e., safeguards or countermeasures) for an information system that are primarily\nimplemented and executed by the information system through mechanisms contained in the hardware, software, or\nfirmware components of the system.\n\n\n                                                       2\n\x0c                                                                                 System Evaluation of GLTS\n\n\n\npolicies, standards and procedures which are consistent with government-wide policies,\nstandards, and procedures issued by the Office of Management and Budget, the Department of\nCommerce7, the General Services Administration and the Office of Personnel Management.\nOMB periodically reminds agencies that agency security practices should be consistent with\nNIST guidance. The FY 2004 FISMA guidance issued by OMB8 specifically states that agencies\nmust follow NIST standards and guidance. Use of NIST guidance is flexible, provided agency\nimplementation is consistent with the principles and processes outlined within the NIST\nguidance.\n\nCarson Associates reviewed the GLTS Risk Assessment, Security Plan, and Business Continuity\nPlan and found that while the documentation is up-to-date, it is not always consistent with NIST\nguidelines.\n\nGLTS Security Plan Does Not Describe All Security Controls Identified As In-Place\n\nOMB A-130 states that security plans shall be consistent with guidance issued by NIST. NIST\nSpecial Publication (SP) 800-18, Guide for Developing Security Plans for Information\nTechnology Systems, states that the purpose of a security plan is to provide an overview of the\nsecurity requirements of the system and describe controls in place or planned for meeting those\nrequirements. NIST SP 800-18 also states that the security plan should fully identify and\ndescribe the controls currently in place, or planned for the system. However, Carson Associates\nfound several areas in the Final System Security Plan for GLTS, dated August 23, 2002, where\ncontrols were not described.\n\nIn order to identify what controls are currently in place for GLTS, Carson Associates reviewed\nand analyzed two other documents in conjunction with the GLTS Security Plan \xe2\x80\x93 the GLTS self-\nassessment, and results from security test and evaluation of GLTS controls conducted during the\ncertification and accreditation of GLTS.\n\nFISMA requires agencies to test the management, operational, and technical controls of every\ninformation system identified in their inventory no less than annually. OMB has instructed\nagencies to use NIST SP 800-26, Self-Assessment Guide for Information Technology Systems, to\nconduct the annual reviews. NIST SP 800-26 is based on the Chief Information Officer\nCouncil\xe2\x80\x99s \xe2\x80\x9cFederal Information Technology Security Assessment Framework\xe2\x80\x9d (the Framework).\nThe Framework comprises five levels to guide agency assessments of their security programs\nand assist in prioritizing efforts for improvement. Level 1 reflects that an asset has documented\nsecurity policy. At Level 2, the asset also has documented procedures and controls to implement\nthe policy. For Level 3, procedures and controls have been implemented to protect the asset.\nLevel 4 indicates that procedures and controls are tested and reviewed. Finally, at Level 5, the\nasset has procedures and controls fully integrated into a comprehensive program.\n\nCarson Associates reviewed the FY 2003 GLTS self-assessment in order to identify controls in\nplace for GLTS. Any controls marked at least at a Level 3 in the GLTS self-assessment are\n\n7\n NIST is part of the Technology Administration within the Department of Commerce.\n8\n OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\nAct, dated August 23, 2004.\n\n\n                                                    3\n\x0c                                                                            System Evaluation of GLTS\n\n\n\nconsidered to be in place based on the above definitions. The FY 2003 self-assessment was\nreviewed as the agency had only provided a draft of the FY 2004 self-assessment when the\nfieldwork was conducted.\n\nCarson Associates also reviewed the results of the security test and evaluation of GLTS controls\nconducted during the certification and accreditation of GLTS. Security certification is a\ncomprehensive assessment of the management, operational, and technical security controls in an\ninformation system, made in support of security accreditation, to determine the extent to which\nthe controls are implemented correctly, operating as intended, and producing the desired\noutcome with respect to meeting the security requirements for the system. Appendix D of the\nGLTS Security Test and Evaluation Report, dated August 16, 2002, includes test procedure\nworksheets used to record the results of the testing. The test objectives on the test procedure\nworksheets correspond to the control objectives in the NIST SP 800-26 self-assessment. Each\ntest objective is marked as either pass, fail, or not applicable. A test objective marked as pass\nrepresents a security control that is in place.\n\nAs a result of the review of the GLTS Security Plan, self-assessment, and security test and\nevaluation results, Carson Associates identified several cases where the information in the GLTS\nSecurity Plan, self-assessment and test procedure worksheets is inconsistent. The following are\nsome examples:\n\n   \xe2\x80\xa2   Controls for matching personnel files with user accounts to ensure that terminated or\n       transferred individuals do not retain system access are marked as \xe2\x80\x9cpass\xe2\x80\x9d on the test\n       procedure worksheets, however the same control is marked as \xe2\x80\x9cnot applicable\xe2\x80\x9d in the FY\n       2003 GLTS self-assessment. In the FY 2004 GLTS self-assessment, the control is\n       marked to indicate the control is done at the local area network level, not at the\n       application level. The GLTS Security Plan does not describe these controls.\n   \xe2\x80\xa2   The test control worksheets indicate that penetration testing is performed on the system.\n       The GLTS self-assessment indicates that penetration testing is the responsibility of the\n       local area network/wide area network and/or Data Center. Penetration testing is not\n       described in the GLTS Security Plan.\n   \xe2\x80\xa2   OFFICIAL USE ONLY BULLET REDACTED\n\n\n\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Update the GLTS Security Plan to describe all controls currently in place. In-place\n      controls are those marked at least at Level 3 in the self-assessment, and that were\n\n\n\n                                                4\n\x0c                                                                               System Evaluation of GLTS\n\n\n\n       documented as passed in the last Security Test and Evaluation Report, or in any test and\n       evaluation on controls added since publication of that report.\n\n   2. Update the GLTS self-assessment to reflect controls in place. In-place controls are those\n      that were documented as passed in the last Security Test and Evaluation Report, or in any\n      test and evaluation on controls added since publication of that report.\n\nGLTS Business Continuity Plan Is Not Consistent With NIST Guidelines\n\nCarson Associates reviewed the GLTS Business Continuity Plan (BCP), dated March 31, 2004.\nGuidance on developing contingency plans can be found in NIST SP 800-34, Contingency\nPlanning Guide for Information Technology Systems, which was published in June 2002. As\nrecommended by OMB, Carson Associates reviewed the GLTS BCP for consistency with NIST\nguidelines and found that in some instances, the GLTS BCP is not consistent with NIST\nguidelines.\n\nAccording to the agency, NRC requires annual updates of all BCPs, however NRC only requires\nconformance with current NIST guidance at the time of re-accreditation. This policy is not\ndocumented in any agency management directive or in any documentation reviewed by Carson\nAssociates. Carson Associates was informed of this policy during the exit conference held to\ndiscuss the findings of the GLTS system evaluation. Subsequent to the exit conference, Carson\nAssociates reviewed previous NIST guidance on the preparation of contingency plans, Federal\nInformation Processing Standards (FIPS) Publication 87, Guidelines for ADP Contingency\nPlanning, and found that the GLTS BCP (both the 2004 version and the previous version, dated\nSeptember 27, 2002) is also not consistent with the FIPS 87 guidance. It should be noted that the\nprevious version of the GLTS BCP was published in September 27, 2002, which was after NIST\nissued SP 800-34. As stated earlier in this report, while the version of MD 12.5 that was in effect\nat the time the GLTS BCP was published did not require compliance with NIST guidelines,\nOMB requires agencies to follow NIST standards and guidance.\n\nNIST SP 800-34 states that the contingency plan should be a living document that is changed as\nrequired to reflect system, operational, or organizational changes. Modifications made to the\nplan should be recorded in a record of changes. The GLTS BCP does not include any\ninformation on what changes have been made to the plan and when. Without this information,\nCarson Associates could not determine whether the BCP was updated as part of the annual\nrequirement, or as part of a system re-accreditation. The only indication that the BCP was a\nrevision was the word \xe2\x80\x9cRevised\xe2\x80\x9d on the cover page. FIPS 87 also states that an essential element\nof any volatile document, such as a contingency plan, is a method of recording changes to the\ndocument.\n\nNIST SP 800-34 describes notification procedures and states that they should be documented in\nthe plan for both events that occur with and without prior notice. For example, advanced notice\nis often given that a hurricane will affect an area or that a computer virus is expected on a certain\ndate. However, there may be no notice of equipment failure or a criminal act. The procedures\nshould describe the methods used to notify recovery personnel during business and non-business\nhours. Prompt notification is important for reducing the effects on the system; in some cases, it\n\n\n\n                                                  5\n\x0c                                                                              System Evaluation of GLTS\n\n\n\nmay provide enough time to allow system personnel to shut down the system gracefully to avoid\na hard crash.\n\nNIST SP 800-34 also states that personnel to be notified in the event of a disaster should be\nclearly identified in the contact list appended to the plan. The list should identify personnel by\ntheir team position, name, and contact information (e.g., home number, work number, pager\nnumber, e-mail addresses, and home addresses). FIPS 87 also stresses the importance of\nincluding the name, address, and phone numbers of all people who may be required in any\nbackup or recovery scenario in the BCP.\n\nOFFICIAL USE ONLY PARAGRAPH REDACTED\n\n\n\n\nNIST SP 800-34 defines the reconstitution phase as when recovery activities are terminated and\nnormal operations are transferred back to the organization\xe2\x80\x99s facility. The reconstitution phase\nshould specify teams responsible for restoring or replacing both the site and the system. The\nGLTS BCP does not include procedures for restoring system operations that include procedures\nfor cleaning the alternate site of any equipment or other materials belonging to the organization,\nwith a focus on handling sensitive information. While FIPS 87 does not discuss specific\nprocedures to be followed for cleaning the alternate site of any equipment or other materials\nbelonging to the organization, these procedures are necessary to ensure that no sensitive\nmaterials remain at the alternate site.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   3. Update the GLTS Business Continuity Plan to include the following changes:\n\n       \xe2\x80\xa2   Record modifications to the plan in a record of changes to include what changes were\n           made (e.g., the page numbers or section numbers where the changes were made), why\n           the changes were made (e.g., annual update or update during re-accreditation), and\n           date of change.\n       \xe2\x80\xa2   Describe the methods used to notify recovery personnel during business and non-\n           business hours.\n\n\n                                                  6\n\x0c                                                                                            System Evaluation of GLTS\n\n\n\n\n          \xe2\x80\xa2   Incorporate all teams roles and responsibilities and relevant points of contact\n              information for team leaders, alternate team leaders, and team members.\n          \xe2\x80\xa2   Include procedures for restoring system operations, with a focus on how to clean the\n              alternate site of any equipment or other materials belonging to the organization.\n\n3.2       Security Protection Requirements Are Inconsistent Within Security\n          Documentation\n\nFISMA defines the term \xe2\x80\x9cinformation security\xe2\x80\x9d to mean protecting information and information\nsystems from unauthorized access, use, disclosure, disruption, modification, or destruction in\norder to provide confidentiality, integrity, and availability. Confidentiality is preserving\nauthorized restrictions on information access and disclosure, including means for protecting\npersonal privacy and proprietary information. Integrity is guarding against improper information\nmodification or destruction, and includes ensuring information non-repudiation and authenticity.\nAvailability is ensuring timely and reliable access to and use of information. Confidentiality,\nintegrity and availability are often referred to as security protection requirements or security\nobjectives for a system.\n\nFIPS Publication 199, Standards for Security Categorization of Federal Information and\nInformation Systems, requires all Federal agencies to categorize their systems by assigning\npotential impact levels to the three security objectives. The potential impact is low if the loss of\nconfidentiality, integrity, or availability could be expected to have a limited adverse effect on\norganizational operations, organizational assets, or individuals.9 The potential impact is\nmoderate (medium) if the loss of confidentiality, integrity, or availability could be expected to\nhave a serious adverse effect on organizational operations, organizational assets, or individuals.\nThe potential impact is high if the loss of confidentiality, integrity, or availability could be\nexpected to have a severe or catastrophic adverse effect on organizational operations,\norganizational assets, or individuals.\n\nThe GLTS Security Plan defines protection requirements for GLTS as follows:\n\n      \xe2\x80\xa2   Confidentiality \xe2\x80\x93 Medium\n      \xe2\x80\xa2   Integrity \xe2\x80\x93 High\n      \xe2\x80\xa2   Availability \xe2\x80\x93 Medium\n\nHowever, the FY 2003 GLTS self-assessment and FY 2004 draft GLTS self-assessment\ndefine protection requirements for GLTS as follows:\n\n      \xe2\x80\xa2   Confidentiality \xe2\x80\x93 Medium\n      \xe2\x80\xa2   Integrity \xe2\x80\x93 High\n      \xe2\x80\xa2   Availability \xe2\x80\x93 Low\n\n\n\n9\n Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are\nentitled under law.\n\n\n                                                           7\n\x0c                                                                             System Evaluation of GLTS\n\n\n\nThe protection requirements should be consistent across the security documentation for a\nsystem. A change in protection requirements could indicate a need to re-evaluate the risks to\nthe systems, especially if the change is from a lower rating to a higher one. If the protection\nrequirements have changed since the GLTS Security Plan was finalized, then an explanation\nfor the change should be noted on the GLTS self-assessment.\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      4. Update the GLTS Security Plan and/or GLTS self-assessment to consistently define the\n         protection requirements (confidentiality, integrity, availability).\n\n3.3      Findings and Recommendations Resulting From Testing Are Not\n         Consistently Being Tracked\n\nThe FY 2003 FISMA independent evaluation of NRC\xe2\x80\x99s information security program found that\nthe agency\xe2\x80\x99s corrective action process needed improvement. NRC has two primary tools for\ntracking the progress of corrective actions related to correcting weaknesses identified during the\nannual agency security review, the OIG independent evaluation, various security documents, and\nother security studies conducted by or on behalf of the agency. At a high level, NRC uses the\nPOA&M submitted to OMB to track corrective actions from the OIG annual independent\nevaluation, and the agency\xe2\x80\x99s annual review. At a more detailed, level, NRC uses the NRC\nInformation Technology Systems Security Tracking System (ITSSTS) to track the progress of\ninternal corrective actions (i.e., those not reported to OMB). ITSSTS is used to track more\nspecific corrective actions, such as those resulting from risk assessments; security test and\nevaluation associated with the certification and accreditation process; and contingency plan\ntesting.\n\nThe FY 2003 FISMA independent evaluation of NRC\xe2\x80\x99s information security program also found\nthat not all corrective actions resulting from security reviews and testing were being tracked.\nThe OIG recommended that the agency identify all weaknesses and recommendations from\nsecurity documentation and any other security reviews, and determine in which tool the\nrecommendations will be tracked. In November 2003, OCIO issued a memo describing the\nagency\xe2\x80\x99s information technology security action item tracking process, strategy, and tools. The\nmemo describes the types of activities that might identify security weaknesses in NRC\ninformation technology systems and describes the two tools used by NRC for tracking the\nprocess of security corrective actions \xe2\x80\x93 the FISMA POA&M and the ITSSTS. Carson\nAssociates found that findings and recommendations resulting from testing of GLTS security\ncontrols and from GLTS contingency plan testing are not consistently being tracked.\n\nNot All Findings Resulting from the GLTS Certification and Accreditation Are Being\nTracked\n\nThe GLTS Risk Assessment identified eight risks and Carson Associates found that all of them\nwere tracked in the ITSSTS. The GLTS Security Test and Evaluation Report also identified\neight risks, however these were not the same eight risks identified in the GLTS Risk Assessment.\n\n\n                                                 8\n\x0c                                                                            System Evaluation of GLTS\n\n\n\nTwo of risks identified in the GLTS Risk Assessment were not identified during the security test\nand evaluation. These risks were 1) no individual assigned security responsibility for GLTS, and\n2) no documented termination procedures are in place to ensure user access to GLTS is removed.\nThese risks are being tracked in the ITSSTS. However, two new risks were identified during the\nsecurity test and evaluation. These risks were 1) no system security plan in place for GLTS, and\n2) adequate audit trails are not maintained by GLTS. However, these two risks are not being\ntracked in the ITSSTS.\n\nCarson Associates could not determine why the two new risks identified during security test and\nevaluation were not being tracked in the ITSSTS. A possible cause is that since the total number\nof risks identified during the risk assessment and the security test and evaluation were the same,\nthe two new risks may have been overlooked.\n\nFindings and Recommendations Resulting from the GLTS BCP Testing Are Not\nConsistently Being Tracked\n\nCarson Associates reviewed the GLTS Business Continuity Test Report, dated May 18, 2004.\nTests of the BCP were conducted in April 2004 by using a walk through tabletop exercise. Three\ntests scenarios were performed to include: (1) GLTS server outage, (2) Two White Flint North\nData Center is unavailable, and (3) Loss of availability of both NRC Buildings (One and Two\nWhite Flint North). The testing identified four shortcomings, and resulted in three\nrecommendations. The agency is tracking the four shortcomings in their internal tracking\nsystem, but is tracking the three recommendations in the POA&M to OMB.\n\nOFFICIAL USE ONLY PARAGRAPH REDACTED\n\n\n\n\nOFFICIAL USE ONLY PARAGRAPH REDACTED\n\n\n\n\n                                                9\n\x0c                                                                           System Evaluation of GLTS\n\n\n\nThere is no recommendation that correlates to the 1st shortcoming, and the last recommendation\ndoes not correlate to any of the shortcomings. All four shortcomings are being tracked in the\nITSSTS, and all three recommendations are being tracked in the POA&M submitted to OMB.\nHowever, since there is not a relationship between all of the shortcomings and the\nrecommendations, the shortcomings and recommendations are not being tracked consistently\nacross the agency\xe2\x80\x99s tracking systems. The first shortcoming is only being tracked in the ITSSTS,\nand the last recommendation is only being tracked in the POA&M submitted to OMB. Tracking\nshortcomings (i.e., weaknesses) in one system and recommendations in another could result in\nweaknesses not being addressed or overlooked, or in recommendations not being corrected on\ntime.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   5. Track all actions items resulting from testing of the GLTS security controls and\n      contingency plan in either the agency\xe2\x80\x99s internal tracking system or in the agency\xe2\x80\x99s plan of\n      action and milestones submitted to OMB.\n\n\n\n\n                                               10\n\x0c                                                                             System Evaluation of GLTS\n\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Update the GLTS Security Plan to describe all controls currently in place. In-place\n       controls are those marked at least at Level 3 in the self-assessment, and that were\n       documented as passed in the last Security Test and Evaluation Report, or in any test and\n       evaluation on controls added since publication of that report.\n\n    2. Update the GLTS self-assessment to reflect controls in place. In-place controls are those\n       that were documented as passed in the last Security Test and Evaluation Report, or in any\n       test and evaluation on controls added since publication of that report.\n\n    3. Update the GLTS Business Continuity Plan to include the following changes:\n\n       \xe2\x80\xa2   Record modifications to the plan in a record of changes to include what changes were\n           made (e.g., the page numbers or section numbers where the changes were made), why\n           the changes were made (e.g., annual update or update during re-accreditation), and\n           date of change.\n       \xe2\x80\xa2   Describe the methods used to notify recovery personnel during business and non-\n           business hours.\n       \xe2\x80\xa2   Incorporate all teams roles and responsibilities and relevant points of contact\n           information for team leaders, alternate team leaders, and team members.\n       \xe2\x80\xa2   Include procedures for restoring system operations, with a focus on how to clean the\n           alternate site of any equipment or other materials belonging to the organization.\n\n    4. Update the GLTS Security Plan and/or GLTS self-assessment to consistently define the\n       protection requirements (confidentiality, integrity, availability).\n\n    5. Track all actions items resulting from testing of the GLTS security controls and\n       contingency plan in either the agency\xe2\x80\x99s internal tracking system or in the agency\xe2\x80\x99s plan of\n       action and milestones.\n\n\n\n\n                                                11\n\x0c                                                                       System Evaluation of GLTS\n\n\n\n5      OIG Response to Agency Comments\n\nOn September 13, 2004, the Executive Director for Operations provided comments concerning\nthe draft system evaluation report. We modified the report as we determined appropriate in\nresponse to these comments.\n\n\n\n\n                                             12\n\x0cOFFICIAL USE ONLY                                                                      Appendix A\n                                                                        System Evaluation of GLTS\n\n\nSCOPE AND METHODOLOGY\n\nTo perform the GLTS system evaluation, Carson Associates reviewed the system\xe2\x80\x99s security\ndocumentation, including the Security Plan, Risk Assessment, self-assessment, Business\nContinuity Plan, System Test and Evaluation Report, Certification and Accreditation\ndocumentation, and the completion of weaknesses addressed, if any, within the FY 2003 plan of\naction and milestones. Comprehensive document checklists were used in the evaluation process.\n\nThe work was conducted from June 2004 to August 2004 in accordance with guidelines from the\nNational Institute of Standards and Technology, and best practices for evaluating security\ncontrols. Diane Reilly and Jane Laroussi from Carson Associates conducted the work.\n\n\n\n\n                                             13\n\x0cOFFICIAL USE ONLY                                                    Appendix A\n                                                      System Evaluation of GLTS\n\n\n\n\n                    [Page intentionally left blank]\n\n\n\n\n                                  14\n\x0c'